Migrate AD User and AADConnect to new Forest (Same O365 tenant)

LIT-RS 1 Reputation point
2020-11-04T15:44:08.693+00:00

Hi guys,

Over the last few weeks i've been reading a lot around Tenant-to-tenant migration, and we've been playing around with the new features and it's been pretty cool.

BUT, I have a question around migrating AD User Objects and standing up a new AADConnect server in a new environment but still syncing into the SAME Azure AD & O365 tenant.

(NOT a new tenant. Same tenant, but Source of Authority is now a new AD Forest and a new AADConnect Server)

So in summary:

Current Set up:

  • On-Premise Active Directory (AD users) in Forest A
  • All users are synced via AAD Connect server in Forest A
  • Hybrid with Exchange 2016 in Forest B (two-way trust with Forest A)
  • All mailboxes are migrated to Exchange Online

Target Set up:

Due to Business reasons (change in datacentre/supplier), we want to continue to use the existing O365 Tenant and Azure subscription, but need to migrate AD Objects (Source of Authority) and stand up a new AAD Connect server to sync the AD objects to the migrated mailboxes in the environment.

So the Target environment would look like this:

  • All AD Users (source of authority) are in Forest C (We will set up a Two-Way trust with Forest A)
  • The AADConnect server to sync all objects to the O365 tenant will also need to be stood up in Forest C
  • The EXO mailboxes in O365 should not be impacted.

AFAIK, there is limited documentation around this online, but if anyone has any experience around this, have used any articles, or can think of any gotchas, would be good to get your views.

I've done something similar with a few previous customers so have a high-level idea but would be good to see if anyone has done this - I know it will require an AD Migration cross-forest (maybe ADMT/3rd party like Quest) and I guess the UPN's will change for the users, but more around planning (coexistence/phased vs. cutover). etc.

UPDATE: No need for AD user objects to be migrated; customer has manually re-created the AD user objects in their Target AD environment and they have given the users new laptop devices in the new target AD environment.
As all mailboxes are migrated to Exchange Online and there are no mailboxes on-premises, Autodiscover DNS points to autodiscover.outlook.com - Therefore, when the user logs in to their new laptop device, their Outlook client profile is manually configured to point to Exchange Online.

Thanks

Ron

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,190 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,895 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lydia Zhou - MSFT 2,371 Reputation points Microsoft Employee
    2020-11-05T06:51:30.237+00:00

    @LIT-RS

    Do you mean forest A is the account forest, and mailboxes migrated to O365 are linked mailboxes in forest B?

    The steps provided by NiklasN should be correct. However, if you just want to manage mailboxes from on-premises and hybrid features are not needed, we don't have to deploy the hybrid configuration. Also, we have to extend AD schema for Exchange in forest C for some Exchange attributes.
    For your reference: To disable directory synchronization and uninstall Exchange hybrid.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    3 people found this answer helpful.
  2. Niklas 181 Reputation points
    2020-11-04T20:23:23.47+00:00

    Hi Ron,

    just high level but should work:

    1. Create Domain for Forest C in O365
    2. decomission Hybrid in Forest B, set MX and Autodiscover to Cloud if not done already
    3. Migrate AD Accounts to Forest C (ADMT prefered in case you just need to do a "silly" User migration)
    4. Stop AD Connect on Forest A
    5. Ensure you have "Cloud only" accounts in O365
    6. Switch only UPN in O365 to newly created domain from forest C (in case Email should be also switched to new Domain, prepare youre AD Objects and edit "e-mail" Attribut
    7. Install AD Connect on Forest C
    8. Start Syncing
    9. AD Connect should do a softmatch then
    10. install minimal Hybrid on Forest C (just in case you need GUI for administration) (i know, administration via Attribut Editor is not supported by MS but works very well, so maybe a Exchange is not needed)
    11. be happy :)

    iam not quite sure, but when you migrate Users they normally got devices (AD Computer Objects) which need also be migrated. So i guess you will do a coexistance szenario: in that case i would do it in a staged migration: Move users in Forest A to a OU which is not synced to O365. They will be deleted in O365 and you can recover them from recycle bin and then they will be a "cloud only" user. For faster restoring you could use PS Script (additionally in this script you could also change the UPN to the Forest C domain) for that. Meanwhile you can migrate this users with ADMT to new domain and let them sync with the newly installed AD Connect in Forest C

    Best
    Niklas

    1 person found this answer helpful.
    0 comments
  3. Khurram Rahim 1,841 Reputation points
    2020-11-04T21:13:14.36+00:00
    1 person found this answer helpful.
    0 comments
  4. Khurram Rahim 1,841 Reputation points
    2020-11-04T20:39:44.573+00:00
    0 comments
  5. LIT-RS 1 Reputation point
    2020-11-05T10:33:49.793+00:00

    Do you mean forest A is the account forest, and mailboxes migrated to O365 are linked mailboxes in forest B?

    @Lydia Zhou - MSFT
    Hi Lydia, Thanks for your reply. Correct - They've got their Enabled AD User objects in Forest A and have the Exchange Hybrid set up in Forest B, therefore linked mailboxes which have (99% or all) been migrated to Exchange Online.

    I appreciate that we can only have one primary AADConnect server per Azure tenant, so do you have any thoughts on how we would go about configuring a new AADConnect Server in Forest C (the new forest) and connected to sync to the same Azure O365 tenant? I was thinking maybe something like:

    • 2-way Trust in place between Forest A and Forest C
    • Install a new AADC instance as a Staging Server in Forest C
    • Replicate the in-scope OU's and Security Groups that are in AADC in Forest A (Active) to AADC in Forest C (Staging)
    • Switchover Staging in Forest C as Primary
    • Later on, remove the Forest A (now Staging) AADC server from farm?

    Thoughts?